This command enables/disables accounting for subscribers and context-level administrative users for the current context.

default

Configures the default setting.

Default: RADIUS

no

Disables AAA accounting per the options specified.

radius-diameter

Enables AAA accounting for context-level administrative users.

subscriber

Enables AAA accounting for subscribers.

radius-diameter

Enables RADIUS or Diameter accounting for subscribers.

This command enables/disables authentication for subscribers and context-level administrative users for the current context.

default

Configures the default setting for the specified parameter.

no

Disables AAA authentication for administrator(s)/subscribers as specified.

administrator | subscriber

local | none | radius-diameter

Enables AAA authentication for administrator(s)/subscribers as specified.

This command configures the password used during authentication for sessions using a Constructed Network Access Identifier (NAI) or an APN-specified user name.

no

Disables authentication based upon the constructed NAI.

[ encrypted ] password user_password

encrypted : Specifies that the user password should be encrypted.

password user_password : Specifies an authentication password for the NAI-constructed user.

In 12.1 and earlier releases, the user_password must be an alphanumeric string of 0 through 63 characters with or without encryption.

In 12.2 and later releases, the user_password must be an alphanumeric string of 0 through 63 characters without encryption, or 1 through 132 characters with encryption.

use-shared-secret-password

Specifies using RADIUS shared secret as the password. Default: No password

This command configures the system to use the value of the Filter-Id AVP as the ACS rulebase name.

no

Disables the mapping of Filter-Id AVP and ACS rulebase name.

default

Configures the default setting. Default: Disabled

This command enables/disables the creation, configuration or deletion of AAA server groups in the context.

no

Deletes the specified AAA group.

group_name

Specifies name of the AAA group.

If the specified AAA group does not exist, it is created, and the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.

If the specified AAA group already exists, the prompt changes to the AAA Server Group Configuration Mode, wherein the AAA group can be configured.

group_name must be an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.

This command sets policies on how Network Access Identifiers (NAIs) are handled during the authentication process.

default

Sets the NAI policy back to its default setting which is to remap hexadecimal digits in NAIs and accept calls with embedded 0x00 hexadecimal digits.

no

Disable remapping of hexadecimal digits in the NAI and reject calls that have a 0x00 hexadecimal digit embedded in the NAI.

reformat-alg-hex-0-9

Default: Enabled

Controls remapping of NAIs that consist only of hex digits 0x00 through 0x09 or if a 0x00 hexadecimal digit is embedded in the NAI.

By default, the system remaps NAIs that consist solely of characters 0x00 through 0x09to their ASCII equivalent. For example; 0x00 0x01 0x2 0x03 will get remapped to 123.

Also by default the system accepts an NAI containing one or more 0x00 characters within the NAI ignoring all characters after the first 0x00.

When this keyword is disabled NAIs are processed as follows:

Enables and disables TACACS+ AAA services for this context

default

Enables TACSCS+ services for this context.

no

Disables TACACS+ services for this context.

Configures the behavior of access control for the current context when an undefined access control list is specified.

default

Configures the default setting.

no

Disables handling undefined access lists.

deny-all

Specifies to drop all packets when an undefined ACL is specified.

permit-all

Specifies to forward all packets when an undefined ACL is specified.

Configures a user with Administrator privileges in the current context.

administrator user_name [ encrypted ] [ nopassword ] password password [ max-age days][ no-max-age ]| [ ecs ] [ expiry-date date_time ] [ ftp [ sftp-server sftp_name ] ] [ li-administration ] [ nocli ] [ noconsole ] [ noecs ] [ timeout-absolute timeout_absolute  ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ][ timeout-min-idle timeout_min_idle ] [ exp-grace-interval days] [ exp-warn-interval days] [ no-exp-grace-interval ] [ no-exp-warn-interval ] 

no

Removes Security Administrator privileges for the specified user name.

user_name

Specifies the username for which Security Administrator privileges must be enabled in the current context. user_name must be an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.

password must be an alphanumeric string of 1 through 63 characters without encryption, and 1 through 132 characters with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

[ nopassword ]

This option allows you to create an administrator without an associated password. Enable this option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole means of authentication. When enabled this option prevents someone from using an administrator password to gain access to the user account.

ecs

Permits the user to use ACS-specific configuration commands. Default: Permitted

expiry-date date_time

Specifies the date and time that this login account expires.

Enter the date and time in the YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss format. Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

ftp

Permits the user to use FTP and SFTP. Default: Not permitted

[ sftp-server sftp_name ]

Assigns an optional root directory and access privilege to this user. sftp_name must have been previously created via the SSH Server Configuration mode subsystem sftp command.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

nocli

Prevents the user from using the command line interface. Default: Permitted

noconsole

Disables user access to a Console line.

Note	The Global Configuration mode local-user allow-aaa-authentication noconsole command takes precedence in a normal (non-Trusted) StarOS build. In this case, all AAA-based users cannot access a Console line.

noecs

Prevents the user from accessing ACS-specific commands.

timeout-absolute timeout_absolute

Important

This keyword is obsolete. It has been left in place for backward compatibility. If used, a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is forcibly terminated. timeout_absolute must be an integer from 0 through 300000000.

The value 0 disables this timeout configuration.

Default: 0

timeout-min-absolute timeout_min_absolute

Specifies the maximum time (in minutes) the Security Administrator may have a session active before the session is forcibly terminated. timeout_min_absolute must be an integer from 0 through 525600. The value 0 disables this timeout configuration. Default: 0

timeout-idle timeout_idle

Important

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is terminated. timeout_idle must be an integer from 0 through 300000000.

The value 0 disables the idle timeout configuration.

Default: 0

timeout-min-idle timeout_min_idle

Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is terminated. timeout_min_idle must be an integer from 0 through 525600. The value 0 disables the idle timeout configuration. Default: 0

[ max-age days]

Defines the maximum age of a user password before it has to be changed. max-age is the replacement for expiry-date .

[ no-max-age ]

This parameter ensures that password never expires (these are non expiring passwords).

exp-warn-interval days

Impends password expiry warning interval in days. There is no default value at per user level. If any of the value is specified, Context global values are considered.

administrator trexpac111 password pass@1234

In the previous example, there are no values for expiry, grace, and warn are provided. In this case, Global values for both of them will be considered.

[ no-exp-warn-interval ]

Disables impending password expiry warnings .

exp-grace-interval days

Specifies password expiry grace interval in days. Default = 3 days after expiry.

[ no-exp-grace-interval ]

Disables grace period of expired password.

Configure apgroupname-list under the samog context with blocked apgroupnames.

no apgroupname-listaplistname1

apgroupname-list : Configures the APGROUPNAME list.

Only 25 AP group names are allowed to be configured in the list. You can create a maximum of 10 AP group name lists per context.

If the apgroupname-list is dis-associated for any specific samog-service, then AP group names under the list are considered as allowed for the session continuation.

no apgrp apgrpname1

no : Removes APGROUPNAME entry from APGROUPNAME list.

apgrp : Configures blocked apgroup names within the list.

apgrp : Configures blocked apgroup names within the list.

Creates or deletes Access Point Name (APN) templates and enters the APN Configuration Mode within the current context.

no

Deletes a previously configured APN template.

apn_name

Specifies a name for the APN template as an alphanumeric string of 1 through 62 characters that is case insensitive. It may also contain dots (.) and/or dashes (-).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with the no apn apn_name command, the APN named apn_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.

Creates, deletes or manages the Quality of Service (QoS) descriptor table identifier for Access Service Node Gateway (ASN-GW) service and enters the ASN QoS Descriptor Table Identifier Configuration mode within the source context.

no

Deletes a preciously configured ASN QoS descriptor table identifier.

id qos_table_id

Specifies a unique identifier for ASN QoS descriptor table to create/configure. qos_table_id must be an integer from 1 through 65535.

[ default ] dscp

Specifies DSCP marking for this QoS descriptor.

[ be | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af 43 | ef ]

The DSCP marking for this QoS descriptor. Default value is be (best effort).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no asn-qos-descriptor id qos_table_id command, the ASN QoS descriptor table with identifier qos_table_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.

Creates, deletes or manages the Service Profiles Identifier for Access Service Node Gateway (ASN-GW) service subscribers and enters the ASN Service Profile Configuration mode within the current context.

no

Deletes a preciously configured ASN service profile identifier.

id asn-profile_id

Specifies a unique identifier for ASN profile to create/configure.

direction { bi-directional | downlink | uplink }

Specifies the direction of data traffic to apply this service profile.

bi-directional : Enables this service profile in both direction of uplink and downlink.

downlink : Enables this service profile in downlink direction, towards the subscriber.

uplink : Enables this service profile in uplink direction, towards the system.

activation-trigger { activate | admit | dynamic-reservation | provisioned

Use this option to configure the activation-trigger for the asn-service-profile. Default: provisioned | admit | activate

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no asn-service-profile id asn_profile_id command, the ASN service profile with identifier asn_profile_id will be deleted with all active/inactive configurations without prompting any warning or confirmation.

Creates, deletes or manages an Access Service Node Gateway (ASN-GW) service and enters the ASN Gateway Service Configuration Mode within the current context.

no

Deletes a previously configured ASN-GW service.

asngw_name

Specifies the name of the ASN-GW service to create/configure as an alphanumeric string of 1 through 63 characters that is case sensitive.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no asn-service asngw_name command, the ASN-GW service named asngw_name will be deleted with all active/inactive subscribers without prompting any warning or confirmation.

Creates, deletes or manages an ASN Paging Controller service to manage the ASN paging controller service and enters the ASN Paging Controller Configuration mode within the current context.

no

Deletes a preciously configured ASN paging controller service.

asnpc-service asn_pc_svc_name

Specifies the name of the ASN Paging Controller Service to create and enable as an alphanumeric string of 1 through 63 characters that is case sensitive.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no asnpc-service asn_pc_svc_name command, the ASN Paging Controller service named asn_pc_svc_name will be deleted and disabled with all active/inactive paging groups and paging agents configured in a context for ASN paging controller service without prompting any warning or confirmation.

Associate a global QoS Level 2 mapping table to a VPN context.

default

Associates the system-default table with this context.

name map_table_name

Specifies the name of an existing internal table from which to map QoS to L2 values.

map_table_name is an alphanumeric string of 0 through 80 characters.

Enables or disables Bidirectional Forwarding Detection (BFD) protocol and enters the BFD Configuration mode.

no

If previously configured, disables BFD protocol.

Enables or disables the router to send 4-octet ASN capabilities.

no

Disables the ability of the router to send 4-octet ASN capabilities.

Creates or deletes Broadcast Multicast Service Center (BM-SC) profiles and enters the BMSC Profile Configuration Mode within the current context.

no

Deletes a previously configured BM-SC profile.

name bmsc_profile_name

Specifies a name for the BM-SC profile as an alphanumeric string of 1 through 62 characters that is case insensitive. It may also contain dots (.) and/or dashes (-).

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no bmsc-profile name bmsc_profile_name command, the BM-SC profile named bmsc_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.

Makes addresses from an IPv4 pool in the current context unavailable once they are free.

no

Disables the busyout command specified.

ip

Configure IPv4 busyout information.

pool

Configure IPv4 pool busyout information.

all

Applies to all IPv4 pools in the current context.

all-dynamic

Applies to all dynamic IPv4 pools in the current context.

all-static

Applies to all static IPv4 pools in the current context.

name pool_name

Applies the named IP pool or IP pool group in the current context. pool_name must be the name of an existing IP pool or IP pool group in the current context.

Important

Adding the IP Pool command and the Busyout command of the same IP Pool at the same time creates a race condition. To avoid the issues, run the IP Pool command and Busyout command separately.

vrf vrf_name

Busyout the IP pool by the VRF name. You can busyout and unbusy all pools in the VRF up to the limits of the context.

Note	If a IP pool is already marked as busyout and associated with a VRF, the IP Pool busyout status remains the same .

address-range start_address end_address

Busyout all addresses from start_address through end_address . start_address : The beginning IP address of the range of addresses to busyout entered in IPv4 dotted-decimal notation.

end_address : The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv4 dotted-decimal notation.

lower-percentage percent

Busyout the percentage of IPv4 addresses specified, beginning at the lowest numbered IP address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 1 through 100.

upper-percentage percent

Busyout the percentage of IPv4 addresses specified, beginning at the highest numbered IP address. This is a percentage of all of the IPv4 addresses in the specified IP pool. percent must be an integer from 1 through 100.

Makes addresses from an IPv6 pool in the current context unavailable once they are free.

no

Disables the busyout command specified.

ipv6

Configure IPv6 busyout information.

pool

Configure IPv6 pool busyout information.

all

Applies to all IPv6 pools in the current context.

all-dynamic

Applies to all dynamic IPv6 pools in the current context.

all-static

Applies to all static IPv6 pools in the current context.

name pool_name

Applies the named IPv6 pool or IPv6 pool group in the current context. pool_name must be the name of an existing IPv6 pool or IPv6 pool group in the current context.

Important

Adding the IPv6 Pool command and the Busyout command of the same IPv6 Pool at the same time creates a race condition. To avoid the issues, run the IPv6 Pool command and Busyout command separately.

vrf vrf_name

Busyout the IP pool by the VRF name. You can busyout and unbusy all pools in the VRF up to the limits of the context.

Note	If a IP pool is already marked as busyout and associated with a VRF, the IP Pool busyout status remains the same..

address-range start_address end_address

Busyout all addresses from start_address through end_address . start_address : The beginning IP address of the range of addresses to busyout entered in IPv6 colon-separated-hexadecimal notation.

end_address : The ending IP address of the range of addresses to busyout. This IP address must exist in the pool specified and entered in IPv6 colon-separated-hexadecimal notation.

lower-percentage percent

Busyout the percentage of IP addresses specified, beginning at the lowest numbered IPv6 address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 1 through 100.

upper-percentage percent

Busyout the percentage of IP addresses specified, beginning at the highest numbered IPv6 address. This is a percentage of all of the IP addresses in the specified IP pool. percent must be an integer from 1 through 100.

Creates a CAE group, which is a CAE server cluster that services TCP video requests from the Mobile Video Gateway. The Mobile Video Gateway uses the configured CAE group for CAE load balancing. The CAE (Content Adaptation Engine) is an optional component of the Mobile Videoscape.

Important

In release 20.0, MVG is not supported. This command must not be used in release 20.0. For more information, contact your Cisco account representative.

no cae_group_name

Deletes the CAE group if previously configured.

cae_group_name

Creates the specified CAE group and enters the Video Group Configuration Mode. cae_group_name is an alphanumeric string of 1 through 79 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.

Creates an instance of the Customized Applications for Mobile Enhanced Logic (CAMEL) service and enters the CAMEL service configuration mode. This mode configures or edits the configuration for the parameters which control the CAMEL functionality on the SGSN.

no

Remove the configuration for the specified SGSN service from the configuration of the current context.

srvc_name

Creates a CAMEL service instance having a unique name expressed as an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

Important

In Release 20, 21.0 and 21.1, HeNBGW is not supported. This command must not be used for HeNBGW in these releases. For more information, contact your Cisco account representative.

Creates a new Cell Broadcasting Service (CBS) or specifies an existing CBS and enters the CBS Configuration Mode.

no

Removes the specified CBS service from the context.

name

Specifies the name of a new or existing CBS service as an alphanumeric string of 1 through 63 characters that must be unique within the same context and across all contexts.

Important

Service names must be unique across all contexts within a chassis.

Creates a new SSL cipher suite or specifies an existing cipher suite and enters the Cipher Suite Configuration Mode.

no

Removes the specified SSL cipher suite from the context.

name

Specifies the name of a new or existing SSL cipher suite as n alphanumeric string of 1 through 127 characters that must be unique across all CSCF services within the same context and across all contexts.

Creates or deletes a class map. If the class-map is newly created, the system enters the Class-Map Configuration Mode within the current destination context to configure the match rules for packet classification to flow-based traffic policing for a subscriber session flow.

no

Deletes configured Class-Map within the context.

class_name

Specifies the name of Class-Map rule as an alphanumeric string of 1 through 15 characters and is case sensitive.

match-all

Default: Enabled.

Enables AND logic for all matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match all classification rules in specific Class-Map to consider the specified Class-Map as a match.

match-any

Default: Disabled.

Enables OR logic for matching parameters configured in specific Class-Map to classify traffic flow/packets. It indicates to match any of the classification rule in specific Class-Map to consider the specified Class-Map as a match.

Enables or disables session handoff between Closed-RP and RP connections. Default: Disabled

default

Resets the command to its default setting of disabled.

no

Disables Closed-RP to RP session handoff.

Configures a context-level configuration administrator account within the current context.

no

Removes a previously configured context-level configuration administrator account.

user_name

Specifies the name for the account as an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies the password to use for the user which is being given context-level administrator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.

password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

[ nopassword ]

This option allows you to create a configuration administrator without an associated password. Enable this option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole means of authentication. When enabled this option prevents someone from using a configuration administrator password to gain access to the user account.

ecs

Permits the user access to ACS-specific configuration commands. Default: Enhanced Charging Service (ECS / ACS) specific configuration commands allowed.

expiry-date date_time

Specifies the date and time that this account expires in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.

Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

ftp

Indicates the user gains FTP and SFTP access with the administrator privileges. Default: FTP and SFTP are not allowed.

[ sftp-server sftp_name ]

Assigns an optional root directory and access privilege to this user. sftp_name must have been previously created via the SSH Server Configuration mode subsystem sftp command.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

nocli

Indicates the user is not allowed to access the command line interface. Default: CLI access allowed.

noconsole

Disables user access to a Console line.

Note	The Global Configuration mode local-user allow-aaa-authentication noconsole command takes precedence in a normal (non-Trusted) StarOS build. In this case, all AAA-based users cannot access a Console line.

noecs

Prevents the specific user from accessing ACS-specific configuration commands.

timeout-absolute abs_seconds

Important

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of time (in seconds) that the administrator may have a session active before the session is forcibly terminated. abs_seconds must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-min-absolute abs_minutes

Specifies the maximum amount of time (in minutes) the context-level administrator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 525600 (365 days). The value 0 disables the absolute timeout. Default: 0

timeout-idle timeout_duration

Important

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of idle time, in seconds, the context-level administrator may have a session active before the session is terminated. timeout_duration must be a value in the range from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

timeout-min-idle idle_minutes

Specifies the maximum amount of idle time, in minutes, the context-level administrator may have a session active before the session is terminated. idle_minutes must be a value in the range from 0 through 525600 (365 days). The value0 disables the idle timeout. Default: 0

[ max-age days]

Defines the maximum age of a user password before it has to be changed. max-age is the replacement for expiry-date .

[ no-max-age ]

This parameter ensures that password never expires (these are non expiring passwords).

exp-warn-interval days

Impends password expiry warning interval in days. There is no default value at per user level. If any of the value is specified, Context global values are considered.

config-administrator trexpac111 password pass@1234

In the previous example, there are no values for expiry, grace, and warn are provided. In this case, Global values for both of them will be considered.

[ no-exp-warn-interval ]

Disables impending password expiry warnings .

exp-grace-interval days

Specifies password expiry grace interval in days. Default = 3 days after expiry.

[ no-exp-grace-interval ]

Disables grace period of expired password.

Enables or disables the creation, configuration or deletion of Content Filtering Server Groups (CFSG).

no

Removes the specified CFSG previously configured in this context.

server-group cf_server_group_name

Specifies the name of the CFSG as an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any prompt and confirmation from the user.

Enables or disables the creation, configuration or deletion of credit-control services.

no

Deletes the specified credit-control service.

service_name

Specifies name of the credit-control service as an alphanumeric string of 1 through 63 characters.

If the named credit-control service does not exist, it is created, and the CLI mode changes to the Credit Control Service Configuration Mode wherein the service can be configured.

If the named credit-control service already exists, the CLI mode changes to the Credit Control Service Configuration Mode wherein the service can be configured.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Enables or disables the reverse DNS query from a Security Gateway to DNS.

no

Disables the Reverse DNS query.

Creates or deletes a crypto group and enters the Crypto Configuration Mode allowing the configuration of crypto group parameters.

no

Deletes a previously configured crypto group.

group_name

Specifies the name of the crypto group as an alphanumeric string of 1 through 127 characters that is case sensitive.

Important

A maximum of 32 crypto groups per context can be configured.

Configures transform-sets on the system and enters the Crypto IPSec Transform Set Configuration Mode.

no

Removes a previously configured transform set

transform_name

Specifies the name of the transform set as an alphanumeric string of 1 through 127 characters that is case sensitive.

ah hmac

Configures the Authentication Header (AH) hash message authentication codes (HMAC) parameter for the transform set to one of the following:

esp hmac

Configures the Encapsulating Security Payload (ESP) hash message authentication codes (HMAC) parameter for the transform set to one of the following:

cipher

If ESP is enabled, this option must be used to set the encapsulation cipher protocol to one of the following:

Configures the name of the policy and enters the specified Crypto Map Configuration mode.

no

Removes a previously configured crypto map.

name

Specifies the name of the crypto map as an alphanumeric string of 1 through 127 characters that is case sensitive.

ikev2-ipv6

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

ipsec-dynamic

Creates a dynamic crypto map and/or enters the Crypto Map Dynamic Configuration Mode.

ipsec-ikev1

Creates an IKEv1 crypto map and/or enters the Crypto Map IKEv1 Configuration Mode.

ipsec-manual

Creates a manual crypto map and/or enters the Crypto Map Manual Configuration Mode.

Creates a new or specifies an existing crypto template or crypto vendor template and enters the Crypto Template Configuration Mode or Crypto Template IKEv2-Vendor Configuration Mode.

Important

In Release 20, 21.0 and 21.1, HeNBGW is not supported. This command must not be used for HeNBGW in these releases. For more information, contact your Cisco account representative.

no

Removes a previously configured crypto template.

name ikev2-pdif

Specifies the name of a new or existing crypto template as an alphanumeric string of 1 through 127 characters.

ikev2-dynamic

Configures the Crypto Template to be used for IPSec functionalities.

ikev2-vendor

Configures the Crypto Vendor Template to be used for IPSec functionalities.

notify-payload pdn-type-allowed

Enables sending of PDN type notification in Notify Payload.

no notify-payload pdn-type-allowed

Disables sending of PDN type notification in Notify Payload.

Creates a new or specifies an existing crypto vendor policy and enters the Crypto Vendor Policy Configuration Mode.

no

Removes the previously configured vendor policy.

policy_name

policy_name must be an alphanumeric string of 1 through 127 characters.

In StarOS 9.0 and later releases, this command is obsolete. And, in earlier releases, this command is restricted.

Configures CUPS IP pool chunk threshold timer for a context.

default

Sets the default value of 60 seconds.

threshold_timer_seconds

threshold_timer_seconds specifies the chunk threshold timer value in seconds, integer 30 to 300.

Enables CUPS for a context.

Configures maximum number of User Planes expected to be functional in a system.

default

Sets the default maximum number of User Planes to 10.

value

The value should be in the range of 1 through 1000.

Configures minimum percentage of chunks per pool in a context.

default

Sets the default percentage to 10.

threshold_percent

threshold_percent specifies minimum chunks in percentage of 0 to 50.

Enables or disables CUPS Redundancy Protocol (CRP) and enters the CRP Configuration mode.

Mode

Exec > Global Configuration > Context Configuration

Entering the above command sequence results in the following prompt:

[context_name]host_name (config-ctx)#

no

If previously configured, disables CRP.

Allows you to enter descriptive text for this configuration.

no

Clears the description for this configuration.

text

Enter descriptive text as an alphanumeric string of 1 to 100 characters.

If you include spaces between words in the description, you must enclose the text within double quotation marks (" "), for example, "AAA BBBB".

Adds a specified Dynamic Host Control Protocol (DHCP) client profile name to allow configuration of DHCP client profile to the current context and enters the configuration mode for that profile.

no

Removes a previously configured DHCP client profile from the current context.

clnt_profile_name

Specifies the name of the DHCP client profile as an alphanumeric string of 1 through 63 characters that is case sensitive.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no dhcp-client-profile clnt_profile_name command the DHCP client profile named clnt_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.

Adds a specified Dynamic Host Control Protocol (DHCP) server profile name to allow configuration of DHCP server profile to the current context and enters the configuration mode for that profile.

no

Removes a previously configured DHCP server profile from the current context.

srvr_profile_name

Specifies the name of the DHCP server profile as an alphanumeric string of 1 through 63 characters that is case sensitive.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no dhcp-server-profile srvr_profile_name command the DHCP server profile named srvr_profile_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.

Adds a Dynamic Host Control Protocol (DHCP) service instance to the current context and enters the DHCP Service Configuration mode for that service.

no

Removes a previously configured DHCP service from the current context.

service_name

Specifies the name of the DHCP service as an alphanumeric string of 1 through 63 characters that is case sensitive.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Creates a specified DHCPv6 service name to allow configuration of DHCPv6 service to the current context and enters the configuration mode for that service.

no

Removes a previously configured DHCPv6 service from the current context.

service_name

Specifies the name of the DHCPv6 service as an alphanumeric string of 1 through 63 characters that is case sensitive.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Caution

If this keyword option is used with no dhcpv6-service service_name command the DHCPv6 service named service_name is deleted with all active/inactive subscribers without prompting any warning or confirmation.

This command configures Diameter accounting related settings.

no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }

endpoint : Removes the currently configured accounting endpoint. The default accounting server configured in the default AAA group will be used.

hd-mode :Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.

hd-storage-policy : Disables use of the specified HD storage policy.

max-retries : Disables the retry attempts for Diameter accounting in this AAA group.

max-transmissions : Disables the maximum number of transmission attempts for Diameter accounting in this AAA group.

server host_name : Removes the Diameter host host_name from this AAA server group for Diameter accounting.

default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }

dictionary : Sets the context's dictionary to the default.

hd-mode :Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.

max-retries :0 (disabled)

max-transmissions :0 (disabled)

request-timeout :20 seconds

dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | dynamic-load | nasreq | rf-plus }

Specifies the Diameter accounting dictionary.

aaa-custom1 ... aaa-custom10 :Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.

dynamic-load :Configures the dynamically loaded Diameter dictionary. The dictionary name must be an alphanumeric string of 1 through 15 characters.For more information on dynamic loading of Diameter dictionaries, see the diameter dynamic-dictionary in the Global Configuration Mode Commands chapter of this guide.

nasreq : nasreq dictionary—the dictionary defined by RFC 3588.

rf-plus :RF Plus dictionary.

endpoint endpoint_name

Enables Diameter to be used for accounting, and specifies which Diameter endpoint to use.

endpoint_name is an alphanumeric string of 1 through 63 characters.

hd-mode fall-back-to-local

Specifies that records be copied to the local HDD if the Diameter server is down or unreachable. CDF/CGF will pull the records through SFTP.

hd-storage-policy hd_policy

Specifies the HD Storage policy name.

hd_policy must be the name of a configured HD Storage policy, expressed as an alphanumeric string of 1 through 63 characters.

HD storage policies are configured through the Global Configuration Mode.

This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD incase all Diameter Servers are down or unreachable.

max-retries max_retries

Specifies how many times a Diameter request should be retried with the same server, if the server fails to respond to a request.

max_retries specifies the maximum number of retry attempts. The value must be an integer from 1 through 1000.

Default: 0

max-transmissions transmissions

Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the "max-retries max_retries " option to control how many servers will be attempted to communicate with.

transmissions specifies the maximum number of transmission attempts for a Diameter request. The value must be an integer from 1 through 1000. Default: 0

request-timeout duration

Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.

duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request. This value must be an integer from 1 through 3600. Default: 20

server host_name priority priority

Specifies the current context Diameter accounting server's host name and priority.

host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.

priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.

This command configures Diameter authentication related settings.

no diameter authentication { allow any-host | endpoint | max-retries | max-transmissions | server host_name }

default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }

Configures default setting for specified parameter.

dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | dynamic-load | nasreq }

Specifies the Diameter authentication dictionary.

aaa-custom1 ... aaa-custom8,aaa-custom10 ... aaa-custom20 : Configures the custom dictionaries.Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.

Important

aaa-custom11 dictionary is only available in Release 8.1 and later. aaa-custom12 to aaa-custom20 dictionaries are only available in Release 9.0 and later releases.

aaa-custom9 : Configures the STa standard dictionary.

dynamic-load : Configures the dynamically loaded Diameter dictionary. The dictionary name must be an alphanumeric string of 1 through 15 characters.For more information on dynamic loading of Diameter dictionaries, see the diameter dynamic-dictionary in the Global Configuration Mode Commands chapter of this guide.

nasreq : nasreq dictionary—the dictionary defined by RFC 3588.

endpoint endpoint_name

Enables Diameter to be used for authentication, and specifies which Diameter endpoint to use.

endpoint_name is an alphanumeric string of 1 through 63 characters.

max-retries max_retries

Specifies how many times a Diameter authentication request should be retried with the same server, if the server fails to respond to a request.

max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000. Default: 0

max-transmissions transmissions

Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the "max-retries max_retries " option to control how many servers will be attempted to communicate with.

transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000. Default: 0

diameter authentication redirect-host-avp { just-primary | primary-then-secondary }

Specifies whether to use just one returned AVP, or use the first returned AVP as selecting the primary host and the second returned AVP as selecting the secondary host.

just-primary :Redirect only to primary host.

primary-then-secondary :Redirect to primary host, if fails then redirect to the secondary host.

Default: just-primary

request-timeout duration

Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.

duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must bean integer from 1 through 3600. Default: 20

server host_name priority priority

Specifies the current context Diameter authentication server's host name and priority.

host_name specifies the Diameter host name, expressed as an alphanumeric string of 1 through 63 characters.

priority specifies the relative priority of this Diameter host, and must be an integer from 1 through 1000. The priority is used in server selection.

This command configures error handling for Diameter EAP requests.

no

Disables Diameter authentication failure handling.

default

Configures the default Diameter authentication failure handling setting.

authorization-request

Specifies that failure handling is to be performed on Diameter authorization request messages (AAR/AAA).

eap-request

Specifies configuring failure handling for EAP requests.

eap-termination-request

Specifies configuring failure handling for EAP termination requests.

request-timeout action { continue | retry-and-terminate | terminate }

Specifies the action to be taken for failures:

result-code result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } }

result_code : Specifies the result code, must be an integer from 1 through 65535.

to end_result_code : Specifies the upper limit of a range of result codes. end_result_code must be greater than result_code .

action { continue | retry-and-terminate | terminate } : Specifies action to be taken for failures:

Important

For any failure encountered, the "continue" option terminates the call as with the "terminate" option for all Diameter dictionaries except aaa-custom15 dictionary. This behavior is true in releases prior to 20. In 20 and later releases, the "continue" option is applicable for all S6b dictionaries including aaa-custom15 dictionary.

This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See diameter accounting and diameter authentication commands respectively.

This command enables the creation, configuration or deletion of a Diameter endpoint.

no

Removes the specified Diameter endpoint.

Important

In 19.5, 21.0 and later releases, deleting the endpoint using the "no diameter endpoint" command throws the following warning message and prompts for user's confirmation: Warning: It is not recommended to remove the diameter endpoint when there are active calls on the system. Hence, please adhere to the 'Method of Procedure' to remove the endpoint. Otherwise, the system behavior would be undefined. Are you sure? [Yes|No]:

Method of Procedure: The following two steps should be performed in the same order to remove the Diameter endpoint:

1. To disable/breakdown the link/transport connections:

   1. Disable all the peers in the endpoint using the diameter disable endpoint endpoint_name peer peer-name CLI command. Repeat this command for all the peers in the endpoint. This will trigger the Disconnect-Peer-Request (DPR) towards the peers with the configured disconnection cause, that is to indicate, graceful shut down.

   2. Remove the endpoint in the respective context, under Diameter configuration, by using the no endpoint endpoint-name CLI command.

2. To enable/bring up the transport connections, follow the standard procedure of adding the endpoints and corresponding peers in it.

   1. Add the endpoints with "use diamproxy" option. Else, the links will be established from Session Manager via diabase library.

   2. Add the corresponding peers in the endpoints.

endpoint_name

Specifies name of the Diameter endpoint as an alphanumeric string of 1 through 63 characters that should be unique within the system.

If the named endpoint does not exist, it is created, and the CLI mode changes to the Diameter Endpoint Configuration Mode wherein the endpoint can be configured.

If the named endpoint already exists, the CLI mode changes to the Diameter Endpoint Configuration Mode wherein the endpoint can be reconfigured.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

This command enables/disables the creation, configuration or deletion of the Hard Disk Drive (HDD) module in the context.

no

Deletes the HDD module from the context.

This command configures Diameter SCTP parameters for all Diameter endpoints within the context. In 12.2 and later releases, this command is obsolete and replaced with associate sctp-parameters-template command in the Diameter Endpoint Configuration Mode.

default

Configures this command with the default settings.

hearbeat-interval interval

Specifies the time interval between heartbeat chunks sent to a destination transport address in seconds.

interval must be an integer from 1 through 255.

Default: 30 seconds

path max-retransmissions retransmissions

Specifies the maximum number of consecutive retransmissions over a destination transport address of a peer endpoint before it is marked as inactive.

retransmissions must be an integer from 1 through 10.

Default: 10

This command is deprecated and is replaced by the diameter endpoint command.

Creates a DNS client and/or enters the DNS Client Configuration Mode.

no

Removes the specified DNS client from the context.

dns-client name

Specifies a name for the DNS client as an alphanumeric string of 1 through 63 characters.

Configures a domain alias for the current context.

no

Indicates the domain specified is to be removed as an alias to the current context.

[ * ] domain_name

domain_name specifies the domain alias to create/remove from the current context. If the domain portion of a subscribers user name matches this value, the current context is used for that subscriber.

domain_name must be an alphanumeric string of 1 through 79 characters. The domain name can contain all special characters, however note that the character * (wildcard character) is only allowed at the beginning of the domain name.

If the domain name is prefixed with * (wildcard character), and an exact match is not found for the domain portion of a subscriber's username, subdomains of the domain name are matched. For example, if the domain portion of a subscriber's user name is abc.xyz.com and you use the domain command domain *xyz.com it matches. But if you do not use the wildcard (domain xyz.com ) it does not match.

Important

The domain alias specified must not conflict with the name of any existing context or domain names.

default subscriber subscriber_template_name

Specifies the name of the subscriber template to apply to subscribers using this domain alias.

subscriber_template_name must be an alphanumeric string of 1 through 127 characters. If this keyword is not specified the default subscriber configuration in the current context is used.